Feds Accuse D-Link Of Failing To Properly Secure Routers & Webcams

Federal regulators have accused D-Link, a manufacturer of popular networking and smart-home products, of leaving its routers and webcam devices vulnerable to hackers.

A lawsuit [PDF], filed this morning in a U.S. District Court in San Francisco by the Federal Trade Commission, alleges that China-based D-Link and its U.S. partner “failed to take reasonable steps to protect their routers and IP cameras from widely known and reasonably foreseeable risks of unauthorized access.”

The FTC contends that D-Link chose to not secure these devices against flaws that have been considered critical for nearly a decade. These vulnerabilities, alleges the complaint, are easily preventable but can also be easily taken advantage of if left unfixed.

In addition to leaving devices open to hacking, the lawsuit claims that D-Link elected to not secure users’ mobile app login credentials, but “instead have stored those credentials in clear, readable text on a user’s mobile device.”

Vulnerable web-connected devices can be used for botnet attacks on websites and other online services.

“In many instances, remote attackers could take simple steps, using widely available tools, to locate and exploit Defendants’ devices, which were widely known to be vulnerable,” explains the FTC, saying that once these unsecured devices have been identified “An attacker could compromise a consumer’s router, thereby obtaining unauthorized access to consumers’ sensitive personal information.”

The complaint gives the example of using a compromised D-Link router to redirect online visitors from a legitimate financial services site to a spoofed, lookalike site in order to gain their login credentials or other information.

A hacker could also use a compromised router to access sensitive files and information stored on computers and storage drives attached to that router’s network. The router could also be used to hack other web-connected devices in the home.

Hacked D-Link webcams could be used to surreptitiously monitor a person or a business, tracking their movements and recording their activities.

In addition to allegedly producing routers and webcams that aren’t secure, D-Link also stands accused of misleading customers about the security of these devices.

For more than a year, the company had a statement on its site declaring “D-Link prohibits… any intentional product features or behaviors which allow unauthorized access to the device or network, including… covert communication channels, ‘backdoors’ or undocumented traffic diversion. All such features and behaviors are considered serious and will be given the highest priority.”

In its marketing, D-Link described the devices as “Easy To Secure” and offering “Advanced Network Security.”

“In truth and in fact,” writes the FTC, “Defendants did not take reasonable steps to secure their products from unauthorized access.”

“Hackers are increasingly targeting consumer routers and IP cameras — and the consequences for consumers can include device compromise and exposure of their sensitive personal information,” says Jessica Rich, director of the FTC’s Bureau of Consumer Protection, about the D-Link complaint. “When manufacturers tell consumers that their equipment is secure, it’s critical that they take the necessary steps to make sure that’s true.”

In a statement emailed to Consumerist, D-Link responds to the lawsuit:
“D-Link Systems, Inc. is aware of the complaint filed by the FTC. D-Link denies the allegations outlined in the complaint and is taking steps to defend the action. The security of our products and protection of our customers private data is always our top priority.”

In related news, the FTC recently offered a prize of $25,000 in its first Internet of Things Home Inspector Challenge, a competition looking for new and innovative ways to help secure the growing menagerie of web-connected devices taking over our homes, offices, roads, and public spaces.